Guarding a Monitoring Scope and Interpreting Partial Control Flow Context

1. A computer implemented method comprising the steps of: inserting code into a software system with logic to detect an execution of unexpected code and recovery of call paths when the execution happens by maintaining, in a software system, a program's calling context correct even when a monitoring of the program goes out of a scope of a program analysis by validating function call transitions and recovering partial paths before and after the violation of the program's control flow, the maintaining comprising: i) detecting a violation of control flow invariants in the software system including validating a source and destination of a function call in the software system and validating a function call on a caller side where an expected callee value is stored in a shared variable and the callee value is checked whether for matching the callee at an entry of the callee function; ii) preserving pre and post violation states; iii) interpreting a pre-violation partial path responsive to a failure of the validating; and iv) interpreting a post violation path after a violation of program flow; and when the code out of program analysis executes in an incident, detecting the incident by the code and recovering partial paths before and after the incident.

2. The method of claim 1 , wherein the detecting includes detecting a moment when a program executes in a different way from the program analysis while determining the source and destination of each function call which is validated at runtime by inserting code into a program, the code detecting the moment by validating whether each function call complies with the pair information from the program analysis.

3. The method of claim 1 , wherein interpreting a pre-violation path comprises failure of the validating including storing the program status to recover a last valid program call path before the violation, specifically, on detection of a violation, the last program status and the source of the call are stored.

4. The method of claim 1 , wherein when a call path after a violation of program flow is an unexpected flow in a program analysis, the step of interpreting a post violation path includes recording and decoding the program status after the violation by introducing a virtual context in which there is a reset of the encoding ID of program context as 0 when a violation occurs and the following call path can be correctly decoded using the original decoding procedure because it complies with the properties of the original encoding scheme.

5. The method of claim 1 , wherein steps i-iii) enable monitoring and addressing an inconsistency between a runtime program status and a program analysis result and detecting the incident that the runtime program status diverges from its analysis result at runtime and recovering and maintaining accurate program status.

6. The method of claim 1 , wherein step i) comprises detecting unexpected program function calls and generating expected function call patterns and the being invariants of function calls triggering an action on violation.

7. The method of claim 1 , wherein a basic mechanism to validate a function call is that in a caller side an expected callee value is stored in a shared variable and this value is checked whether it matches the callee at its entry of the callee function.

8. The method of claim 1 , wherein for step i), responsive to one caller in a having multiple callees with respect to function calls, as the detection of the violation is performed by matching information in the caller and its callee, the code is inserted in respectively the caller and the callee.

9. The method of claim 1 , wherein for step i), responsive to one caller in a having multiple callees with respect to function calls, using a thread local storage and in the callee, an expected callee identification is compared with the callee identification of a current function, which is statically determined when this callee side instrumentation code is generated, and if they are different, a violation of control flow invariant occurs.

10. The method of claim 1 , wherein step ii) comprises, when a violation happens, recovery of the pre-violation path comprises popping the last identification and a call site that implies the function from the stack, resolve the call context using the last identification at the function where the call site belongs to with the resolved path representing the partial path from the root to the last function before the violation.

11. The method of claim 1 , wherein step iii) comprises, when a violation happens, pushing a caller function of a violation.

12. A system for maintaining, in a software system, a program's calling context correct even when a monitoring of the program goes out of a scope of a program analysis by validating function call transitions and recovering partial paths before and after the violation of the program's control flow by inserting code into a software system with logic to detect an execution of unexpected code and recovery of call paths when the execution happens, the maintaining comprising: i) with a processor, detecting a violation of control flow invariants in the software system including validating a source and destination of a function call in the software system and validating a function call on a caller side where an expected callee value is stored in a shared variable and the callee value is checked whether for matching the callee at an entry of the callee function; ii) preserving pre and post violation states; iii) interpreting a pre-violation partial path responsive to a failure of the validating; and iv) interpreting a post violation path after a violation of program flow, and when the code out of program analysis executes in an incident, detecting the incident by the code and recovering partial paths before and after the incident.

13. The system of claim 12 , wherein the detecting includes detecting a moment when a program executes in a different way from the program analysiswhile determining the source and destination of each function call which is validated at runtime by inserting code into a program, the code detecting the moment by validating whether each function call complies with the pair information from the program analysis.

14. The system of claim 12 , wherein interpreting a pre-violation path comprises failure of the validating including storing the program status to recover a last valid program call path before the violation, specifically, on detection of a violation, the last program status and the source of the call are stored.

15. The system of claim 12 , wherein when a call path after a violation of program flow is an unexpected flow in a program analysis, the step of interpreting a post violation path includes recording and decoding the program status after the violation by introducing a virtual context in which there is a reset of the encoding ID of program context as 0 when a violation occurs and the following call path can be correctly decoded using the original decoding procedure because it complies with the properties of the original encoding scheme.

16. The system of claim 12 , wherein steps i-iii) enable monitoring and addressing an inconsistency between a runtime program status and a program analysis result and detecting the incident that the runtime program status diverges from its analysis result at runtime and recovering and maintaining accurate program status.

17. The system of claim 12 , wherein for step i), responsive to one caller in a having multiple callees with respect to function calls, as the detection of the violation is performed by matching information in the caller and its callee, the code is inserted in respectively the caller and the callee.

18. The method of claim 12 , wherein for step i), responsive to one caller in a having multiple callees with respect to function calls, using a thread local storage and in the callee, an expected callee identification is compared with the callee identification of a current function, which is statically determined when this callee side instrumentation code is generated, and if they are different, a violation of control flow invariant occurs.

19. The method of claim 1 , wherein step ii) comprises, when a violation happens, recovery of the pre-violation path comprises popping the last identification and a call site that implies the function from the stack, resolve the call context using the last identification at the function where the call site belongs to with the resolved path representing the partial path from the root to the last function before the violation.

20. The method of claim 1 , wherein step iii) comprises, when a violation happens, pushing a caller function of a violation.